NAS-133968 / 25.10 / Update mtree to better support cryptographic verification for STIG (#824)

* Fixup list of file system object to remove or ignore. Added a 'fixup' list to handle objects that get their permission changed on install. * Update comment.
2026-02-15 07:29:12 +00:00 · 2025-02-19 10:45:16 -08:00
parent b757a0bf19
commit 81dcc109a4
1 changed files with 27 additions and 0 deletions
--- a/scale_build/image/mtree.py
+++ b/scale_build/image/mtree.py
@@ -17,6 +17,7 @@ MTREE_DIRS = ['boot', 'etc', 'usr', 'opt', 'var', 'conf/audit_rules']
 # eliminate files being flagged as changed rather than simply added to our
 # base install.
 ETC_FILES_TO_REMOVE = [
+    'etc/audit/rules.d/audit.rules',  # Not used by TrueNAS
    'etc/exports',
    'etc/ftpusers',
    'etc/idmapd.conf',
@@ -40,6 +41,18 @@ ETC_FILES_TO_REMOVE = [
    'etc/snmp/snmpd.conf',
    'etc/ssh/sshd_config',
    'etc/syslog-ng/syslog-ng.conf',
+    'etc/rc2.d/K01ssh',             # systemd removes these symlinks on ssh start
+    'etc/rc3.d/K01ssh',
+    'etc/rc4.d/K01ssh',
+    'etc/rc5.d/K01ssh',
+    'etc/initramfs-tools/modules',  # These two are not used by systemd
+    'etc/modules',
+]
+
+# Some files or directories get the permission mode changed on install.
+# The following is a list of tuples (files, mode).
+# Preemptively change the mode before generating the mtree.
+OBJS_TO_FIXUP = [
 ]


@@ -67,6 +80,13 @@ def _do_mtree_impl(mtree_file_path, version):
            '/usr/bin/bsdtar',
            '-f', f.name,
            '-c', '--format=mtree',
+            '--exclude', './boot/initrd.img*',
+            '--exclude', './etc/aliases',
+            '--exclude', './etc/audit/audit.rules',  # TrueNAS managed and audited
+            '--exclude', './etc/console-setup/cached_setup_*',
+            '--exclude', './etc/default/keyboard',
+            '--exclude', './etc/default/kdump-tools',
+            '--exclude', './etc/default/zfs',        # Modifed in usr/local/bin/truenas-initrd.py
            '--exclude', './etc/fstab',
            '--exclude', './etc/group',
            '--exclude', './etc/machine-id',
@@ -90,6 +110,7 @@ def _do_mtree_impl(mtree_file_path, version):
            '--exclude', './var/log/*',
            '--exclude', './var/lib/dbus/machine-id',
            '--exclude', './var/lib/certmonger/cas/*',
+            '--exclude', './var/lib/smartmontools/*',
            '--options', '!all,mode,uid,gid,type,link,size,sha256',
        ]
        run(cmd + MTREE_DIRS)
@@ -110,6 +131,12 @@ def generate_mtree(target_root_dir, version):
    for file in ETC_FILES_TO_REMOVE:
        os.unlink(os.path.join(target_root_dir, file))

+    # Some files and/or directories get their permission mode changed
+    # after install.  We preemptively make those mode changes here
+    # to avoid unnecessary reporting.
+    for fs_obj, mode in OBJS_TO_FIXUP:
+        os.chmod(os.path.join(target_root_dir, fs_obj), mode)
+
    mtree_file_path = os.path.realpath(MTREE_UPDATE_FILE)

    with chdir(target_root_dir):